Hack of federal records shows security weakness

San Francisco Chronicle

June 8, 2015Updated: June 8, 2015 5:03pm

Photo: Susan Walsh, Associated Press

The Homeland Security Department headquarters in northwest Washington, Friday, June 5, 2015. China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time. The Department of Homeland Security said in a statement that data from the Office of Personnel Management _ the human resources department for the federal government _ and the Interior Department had been compromised. (AP Photo/Susan Walsh)

The Homeland Security Department headquarters in northwest...

Four million federal workers are learning their personnel files were hacked recently, joining tens of millions of others whose medical records, credit card numbers and office e-mails were picked off by intruders. The balky, slow-moving world of cyberprotection is notching another loss.

The latest incident combines features of past break-ins. Hackers, reportedly based in China, breached a giant federal HR system. The whys and wherefores are intriguing: experts think the break-in artists weren’t aiming to sell the data to cyberthieves but instead use the information to build a picture of human activity.

Insider details such as who’s losing a house to foreclosure, facing heavy medical bills or running low on retirement money might show up. These financially hurting workers could be targets for blackmail or recruiting. If that option sounds too dramatic, it may be a simpler matter of collecting heaps of information to build a personnel profile on a global foe, much the way conventional data miners build a sophisticated picture of consumers.

Last year, federal experts sounded the alarm about aging firewalls in a too-late warning. The complexity of an overhaul of dozens of systems stymied results, giving outsiders more chances to slip in. A supposedly tech-savvy White House presided over mapped-out improvements that went nowhere.

Lost in the mix are those whose private records aren’t so private any more. As with medical insurers and retail stores that were hacked, notifications will be mailed out. But that comes late and with no assurance that the lost data won’t shadow the future.

The continuing hacks go a long way to explaining why the National Security Agency took center stage in wide-scale sifting of Internet traffic. It wasn’t just terrorist threats that bothered Washington policymakers but also hackers and foreign governments probing U.S. computer systems. The super-agency with its enormous reach became a default line of defense, never mind the privacy worries.

As the breaches roll on, Washington must do more to protect national interests, government data and the individuals involved. The slow pace and indecision can’t be tolerated any longer.